What is the GDPR? Here is explained the meaning of the new legislation

The GDPR (General Data Protection Regulation - EU Regulation 2016/679) is the European regulation for the protection of personal data that will become fully effective, from the 25th of May 2018, in particular abolishing  most of the rules contained in the Privacy Code.

Besides the directives and the decisions, the European regulation is one of the legislative acts of the European Union, having a general scope and direct applicability, which means that it does not need to be transposed by the Member State to become law. When there is conflict between European law and the National legislation, the member State is entitled to make amendements to the last one.

The regulation examined has the purpose to harmonise the privacy laws in all EU Countries, in order to simplify the regulatory system where the international relations are concentrated and to ensure a greater control and security of data to all Europeans citizens, especially regarding social networks and cloud service providers.

GDPR: what to do? What are the risks? 

The main changes contained in the regulation concern the introduction of two professional figures.

The data controller will be mandatory in all companies and he will play a key role in the management of all activities undertaken on personal data.

The data controller will be responsible for all decisions on the methods and purposes of data processing, and he will bear the legal responsibility of  the compliance with the obligations provided by the personal data protection laws, both national and international.

The data controller will also obliged to report to the Privacy Guarantor, without any unjustified delay - and, if possible, within 72 hours from the moment in which he becomes aware - of any breach of the security of personal data that represents a risk for the rights and freedoms of individuals.

Here following are synthetically listed the obligations deriving from the role covered:

-  to implement any adequate technical and organizational measures since the design stage to guarantee the protection of the rights of the interested party (privacy by design);

-  to maintain the full confidentiality of data, understood as the duty not to use, communicate or disseminate other people personal / semi-personal data differently from the treatment authorised;

-  to ensure that data are not lost, altered, destroyed or anyway unlawfully treated, and consequentially, to establish appropriate security measures;

-  to appoint the person in charge of the treatment by means of a contract or a legally valid document and implement with the same any appropriate technical and organizational measures to guarantee a level of security adequate to the risk;

- draw up the treatment register with the data processor.

The data controller, in the private sector, may be a natural or legal person, otherwise, in the public sector can just be a legal person that frequently corresponds to an authority.

The controller is obliged to compensate any tangible or intangible damage caused by a violation of the  GDPR,  the implementing rules, the delegated acts or the implementing rules. He is exempted from this liability only if he proves that the harmful event is in no way imputable to him.

In addition to this he is also bound by a training obligation for all those are authorised to access personal data, including the data processor.

The Data Processor (DPO), on the other hand, is appointed by the Data Controller (optional) and is required to manage the processing of data, with the exception of the choice of means and methods that are under the responsibility of the Data Controller.

GDPR privacy: what is the register of processing operations? Why it is important? 

In the GDPR, the register of processing operations is a document which must have a written form, also electronic, necessary to manage the information in compliance with the GDPR, which will also serve to provide evidence and demonstrate the correct management of data to the company concerned.

The register will be managed by the Data controller and the Data processor, who will be required to cooperate with the Privacy Guarantor, allowing him the access to monitor and examine the activities related to data processing.

The SMEs are exempted from keeping the register. Despite this the use of the register is mandatory for all companies with more than 250 employees.

It remains mandatory for companies that process sensitive data or particular categories (defined by articles 9 and 10 of the GDPR), or data whose treatment represents a risk for the rights and freedom of the interested party.

GDPR and websites: what to do?

The GDPR also involves the owners and managers of websites in the European Union, and in any case websites that expect to be accessed by users from EU Countries.

If such websites provide the processing  of users' personal data (identifiable), through the use of cookies, then they must be informed about the use of their data with a clear and transparent language, by referring to the "GDPR General Data Protection Regulation ".

Only if cookies can be used to identify an individual then they are considered personal data and therefore subject to the regulations of the GDPR.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.